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General  systems  theory  is  a  relatively  new  and  rapidly  growing 
mathematical  discipline  which  shows  great  promise  for  application 
in  the  computer  sciences.  The  discipline  includes  both  "general 
systercs-theory"  and  "general-systems  theory":  that  is,  one  may 
properly  read  the  phrase  "general  systems  tlieory"  in  both  ways. 


In  this  paper,  we  have  borrowed  from  the  works  of  general 

/ 

systems  theorists,  principally  from  the  basic  work  of  Masarovic, 
to  formulate  a  mathematical  framework  within  which  to  deal  with  the 
problems  of  secure  computer  systems.  At  the  present  time  we  feel 
that  the  mathematical  representation  developed  herein  is  adequate 
to  deal  with  most  if  not  all  of  the  security  problems  one  may  wish 
to  pose.  In  Section  III  we  have  given  a  result  which  deals  with  the 
most  trivial  of  the  secure  computer  systems  one  might  find  viable 
in  actual  use.  In  the  concluding  section  we  review  the  application 
of  our  mathematical  methodology  and  suggest  major  areas  of  concern 
in  the  design  of  a  secure  system. 

The  results  reported  in  this  paper  lay  the  groundwork  for  further, 
mo,*e  specific  investigation  into  secure  jmputer  systems.  The  investi¬ 
gation  will  proceed  by  specializing  the  elements  of  the  model  to 
^present  particular  aspects  of  system  design  and  operation.  Such  an 
investigation  will  be  reported  in  the  second  volume  of  this  series 
where  we  assume  a  system  with  centralized  access  control.  A  preliminary 
investigation  of  distributed  access  is  just  beginning;  the  results  of 
that  investigation  would  be  reported  in  a  third  volume  of  the  series. 
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,  SECTION  I 

INTRODUCTION 

GENERAL  SYSTEMS 

We  shall  begin  by  presenting  a  brief  description  of  general 
systems  theory  as  we  shall  use  it  in  this  paper.  We  consider  a 
systen  in  its  oust  general  form  to  be  a  relation  on  abstract  sets. 

We  express  this  mathematically  by  the  expression 

S  i  X  x  y 

where  the  system  S  is  a  relation  on  the  abstract  sets  X  and 
Y.  If  S  is  a  function  from  X  to  Y  (S;  X  Y),  then  it  is 

natural  to  consider  S  to  be  a  functional  system.  In  this  case,  it 

is  convenient  to  consider  the  elements  of  X  to  be  Inputs  and  the 
elements  of  Y  to  be  outputs  so  that  S  expresses  a  functional 
input-output  relationship.  By  appropriate  choice  of  the  sets  X 
and  Y  (and  a  set  Z  to  represent  states  when  necessary),  one  can 

closely  represent  some  situation  of  particular  interest  and  reach 

*  significant  conclusions  about  that  situation. 

This  very  general  definition  of  a  system  provides  a  framework 
of  investigation  which  has  very  wide  applicability  and,  as  we  shall 
see  in  Section  III,  unexpected  power.  We  shall  illustrate  the 
concept's  applicability  with  three  examples. 

Example  1;  Consider  a  savings  account  in  a  bank  which  compounds 
interest  quarterly.  The  general  situation  of  varying  payments, 
withdrawals,  and  interest  rates  can  be  described  by  &  difference 


equation  as  follows: 


bk  "  (bk-l  +  *v)  *  (1  +  V  (1*1) 

where  b^  represents  the  balance  after  the  computation  of  interest 
at  the  and  of  the  k-th  quarter,  p^.  represents  the  net  transaction 
(that  is,  the  net  of  deposits  and  withdrawals)  in  the  account  during 
the  k~th  quarter,*  and  i^  represents  the  quarterly  Interest  rate  at 
the  end  of  the  k-th  quarter.  A  seven-year  history  of  such  a  savings 
account  (seven  years  for  tax  purposes)  is  represented  by  a  system 

S(bQ)  C  P  x  i  x  s 

where 

bn  represents  the  initial  balance  in  the  account; 

^  28+ 

P  «  R  represents  the  twenty-eight  transactions; 

28 

I  «  R  represents  the  twenty-eight  quarterly  interest  rates 
28 

and  B  *  R  represents  the  twenty-eight  successive  balances 


and  (p,i,b)  z  S(by)  if  and  only  if  equation  (1,1)  holds  for  every 
k  from  i  to  28  inclusive,  where  p  -  (p^,  •  •  •,  p2g); 


i  -  (i^,  •  •  ♦  ,  i2g);  and  b  -  (b^,  •  •  •  ,  b2g).  The  system  S(bQ) 
describes  in  full  generality  the  seven-year  savings-account  history 
in  any  circumstance.  Certain  results  in  econometrics  are  equivalent 


to  determining  b2g  under  further  specific  assumptions.  For  example, 
the  determination  of  b2g  for  (p,i,b)  e  S(0)  where  p2  *  *  *  *  * 
P2g  »  0  and  i^  -  i2  *  •  •  »  *  i2g  >  0  is  accomplished  using  the 


*Ve  assume  for  simplicity  that  interest  is  paid  on  the  amount  in  the 
account  at  the  end  of  the  quarter. 

tThe  set  of  28-tuples  of  real  numbers. 


2* 


-■SS^S^5* 


coopound  interest  formula 


b28  -  »j.  *  <1  +  ix>  • 


A  number  of  remarks  concerning  this  example  are  in  order.  It 
is  certainly  true  that  the  use  of  an  econometric  table  prepared  for 
a  specific  situation  is  easier  than  the  direct  use  of  the  difference 
equation  (1.1).  On  the  other  hand,  small  changes  in  a  situation  can 
moke  the  use  of  tables  cumbersome.  For  example,  suppose  that  the 
p^  in  the  sequence  (p^,  p2,  *  *  *  ,  P2g)  are  positive  and  distinct 
and  that  i.  «  ij  *  *  *  *  *  i2g  >  0.  Then  by  use  of  econometric 
tables,  we  compute  b2g  by  the  formula 


*  P4  *  <F/P,  i.,  29  -  j).’ 
*1  -1 


IhiB  means  that  the  compound  amount  factor  (F/P,  i^,  29  -  j)  must 
be  looked  up  28  times  in  the  coopound  interest  factors  table  one  is 
using.  If  we  further  complicate  the  problem  by  having  the  i^  in 
(i  ,  i2,  •  •  •  ,  i2g)  distinct  and  positive,  then  we  could  compute 
b28  ky  the  iterative  method: 

b28  ■  <b27  +  >>28>  ’  (F/P>  *28*  « 
b27  *  ^b26  +  p27^  *  127’  lj> 


bi  "  (bo  *  pl}  *  (F/P*  il»  1); 


or  we  could  use  the  single  formula  obtainable  by  straightforward 
algebraic  restitution  in  the  equations  above.  So,  to  find  b2g, 

*See  15],  page  594. 


we  start  with  b^  and  work  backwards;  in  using  the  compound  Interest 
factors  tables  we  should  have  to  do  28  look-ups,  each  on  a  different 
page  since  in  each  quarter  the  interest  is  different  from  that  in 
any  other  quarter.  If  it  happens  that  each  1^  <  kS,  where  k 1  is 
the  lowest  interest  for  which  we  have  a  table,  our  problem  has  become 
even  more  severe.  It  is  much  easier  in  these  sases,  especially  on 
a  digital  computer,  simply  to  use  the  difference  equation  (1,1). 

The  preceding  remarks  should  illustrate  that  the  most  important 
characteristics  of  the  system  (that  is,  the  difference  equation)  are 
its  appropriateness  to  the  situation  modeled  and  its  general  applica¬ 
bility. 

Example  2:  Consider  the  motion  of  a  body  B  suspended  on  an 
ideal  spring.  The  motion  is  governed  by  the  differential  equation 

m  *  s"(t)  +  k  •  s(t)  »  x(t)  (1.2) 

where  m  is  the  mass  of  B,  s(t)  is  the  position  of  B  at  time 
t,  k  is  a  constant  of  the  spring,  and  x(t)  is  an  external  force 
acting  on  B  at  time  t.  If  C  is  the  set  of  all  analytic  functions 
on  [0,®),  then  the  differential  equation  (1.2)  with  initial  condi¬ 
tions  s(0)  »  a  and  s'(0)  *  b  is  represented  by  the  system  S(a,b) 
defined  as  follows: 

S(a,b)  9  C  x  C 

where  (x(t),  s(t))  e  S(a,b)  if  and  only  if  s(0)  »  a,  s’  (0)  -  b, 
and  the  functions  x  and  s  satisfy  (1.2)  for  all  t  e  [0,®). 

Hence  the  familiar  analytical  tool  of  differential  equations  is  a 
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system  under  our  very  broad  definition.  Our  third  example.  Kill  show 
that  finite-state  machines  are  also  encompassed  in  our  concept  of 
system. 


Example  3;  Consider  a  vending  machine  which  accepts  nickels, 
dimes,  and  quarters  for  a  ten-cent  cup  of  coffee  and  gives  change 
if  any  is  due.  Let  A  *  {5,10,25}  represent  the  coins  acceptable' 
to  the  machine.  Let  ■>  {*,£!•}  where  means  “no  coffee"  and  "C" 
means  "coffee**.  Let  B2  «  {0,5,10,25}  represent  the  coins  the 
machine  can  return.  The  set  B  *  x  x  specifies  the  set 
of  outputs  that  can  occur  at  any  time.  Now  let  the  set  Q  *  {q^q^} 
represent  the  states  of  the  machine.  We  give  a  state  transition 
function  f:  A  *  Q  +  Q  and  an  output  function  g:  A  *  Q  -*  B  by 
the  ..ollcviag  table: 

Table  I 

State-  Transit  1r*n 


flB 

a  -  10 

a  -  25 

a  *  5 

a  ■  10 

a  *  25 

f(a»q0) 

uja  ■ 

m 

g(a,q0) 

($.0,0) 

(C,0,0) 

(C,5,10) 

% 

i 

1  % 

m 

gCa.qj^) 

(C,0,0) 

(C,5,0) 

We  have  now  modeled  the  vending  machine  as  a  finite-state  machine 
in  the  usual  manner. 

Now  suppose  that  we  observe  u  trials.  Let  An  and  Bn  be, 
respectively,  the  sets  of  all  n-tuples  from  the  sets  A  and  B. 

Then  for  a  given  initial  state  q  -  q.,  i  e  {0,1},  there  corresponds 


ft 

♦ 


to  any  input  tape  x  in  An  a  unique  output  tape  y  in  £n.  We 
have  defined  a  mapping 

S  :  An  -*■  Bn 

q 

such  that  for  each  x  in  An  the  image  y,<=  S^(x)  is  the  unique 

oucput  sequence  corresponding  to  the  input  sequence  x  and  the 

initial  state  q  *  q^.  We  say  that  the  vending  machine  is 

represented  by  the  svstem  SC  An  *  B31  where  S  *  S  US  . 

%  *1 

Considering  that  in  normal  operation  of  the  machine  the  initial 
state  is  q^,  we  can  consider  the  vending  machine  to  be  the  functional 

system  . 

*0 

The  examples  we  have  presented  are  Intended  to  enhance  the 
intelligibility  of  the  discussion  of  system  modeling  in  the  next 
section.  Additionally,  the  enrichment  of  one's  intuitive  notions 
through  the  use  of  examples  will,  hopefully,  serve  a  similar  purpose 
in  the  next  section. 

SYSTEM  MODELING 

The  mathematics  of  relations  among  objects  with  which  we  deal 
is  designed  to  provide  a  useful  model  for  our  investigation  of  secure 
computer  systems.  Three  desirable  properties  of  such  a  model  suggested 
by  the  examples  of  the  previous  section  are  generality,  a  predictive 
ability,  and  appropriateness.  In  this  section,  we  shall  discuss  each 
of  these  properties  in  turn,  commenting  on  its  relation  to  a  "useful" 
model  of  a  particular  situation. 

Differential  equations  are  systems  that  frequently  display 
great  generality.  Equation  (1.2)  illustrates  this  point  clearly. 
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Without  knowing  the  mass  of  B  ana  without  specifying  the  spring 
constant  k,  we  can  nevertheless  analyze  the  general  system.  In 
fast,  for  x.(t;  t  0,  (1.2)  has  the  closed  form  solution 


s(t)  *  A  *  sin(nt  +  C), 


(1.3) 


where  n*  (k/nj  x  and  A  and  C  are  constants  determined  by  the 
initial  conditions  e  and  b.  Moreover,  equation  (1.2)  is  a  special 
case  of  the  more  general  form 

s"(t)  +  2k  *  s'(t)  +  n2  *  s (t )  -  x(t) 

which  models  a  vast  number  of  elastic  vibrations  including  electrical 
oscillations  (as  It*  a  capacitor)  and  the  vibrations  in  pipe  organs  [2]. 

A  model  too  closely  tied  to  a  specific  application  loses  the 
possiblity  of  more  general  applicability.  On  the  other  hand,  a  model, 
insufficiently  rooted  in  the  problem  at  hand  will  not  allow  accurate 
prediction  of  the  behavior  of  the  physical  system  being  modeled. 

For  example,  knowing  the  initial  conditions  of  the  suspended  weight 
B,  the  mass  of  B,  and  the  sprint  constant  d,  we  can  predict 
precisely  where  B  will  be  5.83337  seconds  from  "let-g^. ”  The 
same  sort  of  precise  predictive  power  is  desirable  in  modeling  discrete 
computer  systems.  Moreover,  in  modeling  secure  computer  systems  we 
must  deny  ourselves  the  luxury  of  accepting  approximate  answers  and 
Insist  on  absolute  rather  than  probabilistic  determinacy. 


The  last  important  feature  of  a  model  is  its  appropriateness 
to  the  situation  of  interest.  In  each  of  the  three  examples  of 
Section  I,  the  type  of  system  used  appropriately  described  the 
important  properties  of  the  situation  being  modeled.  One  parciu’tlar 


advantage  of  an  appropriate  model  can  be  illustrated  by  the  third 
example,  while  the  severe  problems  which  an  inappropriate  model  can 
cause  can  be  demonstrated  by  a  discussion  of  the  second  example. 

The  vending  machine  modeled  in  Example  3  illustrates  that  problems 
other  than  correctness  con  be  detected  in  a  model  appropriate  to  a 
given  situation.  In  particular,  the  machine  we  have  defined  has  this 
interesting  characteristic:  if  in  state  one  continually  Inserts 

quarters  into  the  machine,  the  machine  monotonously  returns  a 
quarter  and  gives  no  coffee.  This  is  a  behavioral  characteristic 
which  the  vending  machine  company  might  consider  undersirable.  We 
have  purposely  constructed  our  sample  machine  in  thi3  way  in  order  to 
show  that  while  the  machine  is  "correct"  in  its  operation,  we  may 
consider  it  to  be  non-viable  as  a  profit-making  item.* 

Mow  consider  the  situation  modeled  in  Example  2.  If  a  discrete 
model  had  been  chosen  ever  a  continuous  one,  the  model  might  have 
been  represented  by  discrete  observations  of  toe  spring-weight  tandem 

u£  •  s(t),  t  «  0,  1,  2,  3,  •  •  •  (1.4) 

where  s(t)  is  the  same  position  function  appearing  in  (1.2). 

Suppose  B  has  mass  ■  1  gram,  the  time  Interval  is  1  second,  and 

2 

the  spring  constant  is  k  •>  39.478  g/sec  .  In  this  special  case, 
the  motion  of  B  indicates  no  apparent  movement — the  body  B 
is  always  the  same  position  (s (0) )  at  each  observation  time.  The 


*Thi8  characteristic  (i.e. t  returning  quarters  inserted  after  a  single 
nickel  has  been  put  into  the  machine)  is  one  which  might  irritate 
customers  and  not  sell  coffee  in  the  process.  An  alternative  approach 
which,  although  not  correct,  might  be  more  acceptable  to  a  vending 
machine  company  would  be  to  set  i'(25,  q^)  »  qQ  and  g(25,  q^) 
(C,5,10):  that  Is,  make  change  for  the  quarter,  supply  coffee,  and 
ignore  the  nickel.  Purposefully  or  inadvertently,  this  may  well  be 
the  course  chosen  by  some  vending  machine  companies. 
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periodicity  of  B's  morion  is  precisely  vhat  makes  a  continuous 
differential-equation  model  more  appropriate  than  a  discrete  model 
of  the  type  described  (in  addition  to  the  more  accurate  predictive 
power).  The  point  is  that  an  inappropriate  model  of  a  problem  situa¬ 
tion  can  obfuscate  the  essential  issues  involved,  thus  complicating 
the  problem. 

The  major  task  in  system  modeling  is  to  provide  a  useful  model 
of  the  situation  under  scrutiny,  a  model  which  exhibits  generality, 
a  predictive  ability,  and  appropriateness  to  the  problem  at  hand. 

SECURE  COMPUTER  SYSTEMS 

A  number  of  systems  have  been  built  and  designed  which  attack 
the  general  problem  of  security  in  some  form  and  to  some  extent. 

In  some  cases,  privacy  of  data  is  the  principal  objective;  in  others, 
the  prime  objective  is  access  control.  Por  the  security  criteria 
which  we  shall  establish,  however,  no  existing  system  of  which  we  are 
aware  is  adequate.  * 

When  we  speak  of  a  secure  computer  system,  we  mean  one  which 
satisfies  some  definition  of  "security”.  Our  interest  is  security 
In  the  usual  military  and  governmental  senses  —  that  is,  security 
involving  classifications  and  ne^is-to-know. 

We  shall  investigate  a  bounded  form  of  the  general  problem  of 
security.  Our  interest  shall  be  to  certify  that  within  the  digital 
computer,  which  is  only  part  of  a  total  system,  no  security  compro¬ 
mise  will  occur.  The  elements  with  which  we  shall  deal,  then,  are 
processes  (programs  in  execution),  data,  access  control  algorithms, 
classifications  of  data  and  processes,  and  the  needs-to-knov  of 
elements  within  the  digital  computer. 

./  t  0  r  • 

*See  reference  [13]  at  the  end  of  this  section. 
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PROBLEMS  OF  SECURITY 


Let  us  consider  a  security  compromise  to  be  unauthorized  access 
to  information,  where  unauthorized  means  that  an  inappropriate  clear¬ 
ance  or  a  lack  of  need-to-know  is  involved  in  the  access  to  the 
information.  Then  a  central  problem  to  be  solved  within  the  comput¬ 
ing  system  is  how  to  guarantee  that  unauthorized  access  (by  a  process) 
to  information  (file,  program,  date)  does  not  occur. 

If  we  can  certify  that  unauthorized  access  cannot  occur  within 
the  system,  then  we  must  next  consider  the  secondary  effects  of  the 
method  by  which  security  has  been  achieved.  Principally  we  shall  have 
to  address  ourselves  to  the  general  question  of  the  viability  of  the 
resultant  system  in  terms  of  economic  and  technological  feasibility 
and  in  terms  of  usefulness  to  the  user. 

SUMMARY  AND  REFERENCES 

In  this  chapter  we  have  introduced  general  systems  theory  very 
briefly  and  have  shown  examples  or  its  application.  Together  with 
the  short  discussion  on  system  modeling,  the  general  systems  theory 
and  examples  should  provide  an  adequate  basis  for  reading  the  rest 
of  this  paper. 

The  reader  who  may  wish  to  investigate  systems  theory  for  himself 
is  referred  first  to  the  book  edited  by  Klir  [9] ,  which  can  profitably 
be  read  with  or  without  any  background  in  mathematics.  The  reader 
will  find  further  examples  of  systems  in  the  book  [14]  by  Mesarovic, 
Macko,  and  Takahara.  In  particular,  beginning  on  page  89  of  [14] 
the  reader  will  find  the  basic  mathematical  concept  of  a  system  which 
we  have  borrowed.  Ocher  books  which  should  be  of  interest  are  those 
by  Klir  [8],  Hammer  [6].  von  Bertalanffy  [1],  and  Zadeh  and  Polak  [15]. 
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In  the  section  entitled  SECURE  COMPUTES  SYSTEMS  we  defined  in 
broad  terms  what  we  mean  by  a  secure  computer  system.  Our  general 
action  of  a  secure  system  is  derived  in  large  measure  from  essentials 
of  a  secure  system  abstracted  from  the  Multics  system,  as  an  archetype 
of  multi-user  systems,  and  from  a  knowledge  of  security  problems. 

The  reader  can  find  numerous  articles  i->  the  literature  which  touch 
on  the  area  of  a  secure  computer  system;  ve  list  [3,4,10,11,12]  as 
representative  of  what  is  available.  As  we  pointed  out,  however, 
none  of  the  generally  available  literature  deals  specifically  with 
the  problem  we  address  in  this  paper. 

Finally,  we  have  indicated  in  this  chapter  what  we  consider  to  be 
the  general  problems  we  shall  encounter  in  investigating  secure  com¬ 
puter  systems. 
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SECTION  II 

FOUNDATIONS  OF  A  MATHEMATICAL  MODEL 

ELEMENTS  OF  THE  MODEL 

We  begin  by  identifying  elements  of  the  model  vhich  correspond 
to  parts  of  the  reel  system  to  be  modeled.  We  assume  the  real 
system  to  have  multiple  users  operating  concurrently  on  a  common 
data  base  wit'i  multi-level  classification  for  both  users  and  data 
and  need- to- know  categories  associated  with  fco fa  users  and  data. 
In  our  model  we  deal  with  subjects  (processes) ,  which  one  should 
consider  surrogates  for  the  users. 


We  show  the  elements  of  our  model  in  Table  II,  wherein  we 
identify  sets,  elements  of  the  sets,  and  an  interpretation  of  the 
elements  of  the  sets. 

Table  II 

Elements  of  the  Model 


Elements 


s 

{S.,S  ,  •  •  *  ,S  } 

1  r  n 

0 

{0\,0o,  •  •  •  ,0  } 
i  i  m 

c 

{crc2,  •  •  •  ,Cq} 

ci  >  C2  >  •  •  *  >  Cq 

K 

•  •  •  •  v 

Semantics 


subjects;  processes,  programs  in  execution 


objects;  data,  files, programs,  subjects 


classifications ;  clearance  level  of 
a  subject,  classification  of  an 
object 


needs-to-knov  categories;  project 


numbers,  access  privileges 


Table  II  (Continued) 


Set 

Eleasants 

Semantics 

A 

{Ai,A2 *  *  *  *  ,Ap^ 

access  attributes;  read,  write,  copy. 

append,  owner,  control 

R 

{RrR2,  *  ‘  ,  Ru) 

requests;  inputs,  commands,  requests 

for  access  to  objects  by  subjects 

D 

(DrD2,  •  •  *  ,DvJ 

decisions;  outputs,  answers,  "yes", 
"no",  "error" 

T 

{1,2,  •  *  *  ,t,  *  *  *} 

indices;  elements  of  the  time  set; 

identification  of  discrete 

moments;  an  element  t  is  an 

irdsx  to  request  and  decision 

sequences 

Pa 

all  subsets  of  a 

power  set  of  a 

0 

a 

all  fun-  .ions  front  the 

set  8  to  the  set  a 

— 

a  x  0 

Ka,b):  a  e  a,  b  e  0} 

Cartesian  product  of  the  sets  a 

and  6 

F 

0s  x  (P  x  ( PK)S  x  ( PK)° 

an  arbitrary  element  of 

F  is  written 

1  ”  (*^»*2**3**4^ 

classif ication/need-to-know  vectors ; 

f^:  subject-classification  function 
f2:  object-classification  function 
!  f^s  subject-need-to-know  function 

|  f^:  obj ect-need-to-know  function 

Table  II  (Concluded) 

Elements 

Semantics 

an  arbitrary  element  of 
X  is  written  x 


request  sequences 


decision  sequences 


an  arbitrary  element  of 
Y  is  written  y 


{M  ,M  ,  •  •  •  ,M  } 
nm2F 

an  element  M.  of  M 

N 

is  an  n  *  m  matrix  with 
entries  from  PA;  the 
(i,j)-entry  of  shows 
S^'s  access  attributes 
relative  to  0. 


I  access  matrices 


P(S  x  0)  x  M  x  f 


states 


an  arbitrary  element  of 
Z  is  written  z;  c  z 
is  the  t-th  state  in  the 
state  sequence  z 


state  sequences 


**iy^  »Vi»  >- ?■&,%*&+&?£*■$*?* 


*  J£k«*a  ^rfw^w-'-  **  * 


STATES  OF  THE  SYSTEM! 

We  have  defined  Che  s Cates  of  the  system  In  such  a  way  as  to 
embody  all  the  information  which  we  consider  pertinent  to  security 
cons iderations . 

A  state  v  e  V  is  a  3-tuple  (b,M,f)  where 


b  e  P(S*0). 


M  e  M, 


£  e  F, 


indicating  which  subjects  have  access  to  which  objects 
in  the  state  v; 

indicating  the  entries  of  the  access  matrix  in  the 
state  v;  and 

indicating  the  clearance  level  of  all  subjects,  the 
classification  level  of  all  objects,  and  the 
needs-to-know  associated  with  all  subjects,  and 
objects  in  the  state  v. 


STATE-TRANSITION  RELATION 

Let  WCRxDxVxy.  The  system  L‘(R,D,W,Zq)  C  X  *  Y  x  z 
is  defined  by 

(x,y,z)  e  £(R,D,W,Zq)  if  and  only  if  (x^y^z^t,.^)  s  V 
for  each  t  e  T,  where  Zq  is  a  specified  initial  state 
usually  of  the  form  ($,M,f),  where  <J>  denotes  the  empty 


W  has  been  defined  as  a  relation.  It  can  be  specialized  to  be 
5  function,  although  this  is  not  necessary  for  the  development  herein. 
When  considering  design  questions,  however,  W  will  be  a  function, 
specifying  next-state  and  next-output.  W  should  be  considered 


intuitively  as  embodying  the  rules  of  operation  by  which  the  system 
in  ar.y  given  state  determines  its  decision  for  a  given  request  and 
moves  into  a  next  state. 

SUMMARY  AND  REFERENCES 

In  this  section  ve  have  established  elements  of  a  mathematical 
model  of  a  system;  these  elements  were  chosen  to  represent  as  nearly 
as  possible  the  realities  of  the  problem  situation  and  to  enable  as 
easy  a  transition  as  possible  from  mathematical  model  to  design 
specifications. 

Tiie  states  of  the  system  have  been  defined  in  such  a  way  as  to 
incorporate  all  information  which  seems  pertinent  to  correct  operation 
of  a  secure  system  ("secure  system"  to  be  defined  precisely  in  the 
next  section). 

Finally,  we  have  included  in  the  model  a  state-transition  rela¬ 
tion  W  which  is  the  key  to  modeling:  given  W  one  may 
predict  the  behavior  of  the  system  for  a  given  set  of  initial 
conditions  and  a  given  request  sequence. 
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SECTION  III 


A  FUNDAMENTAL  RESULT 

COMPROMISE  AND  SECURITY 

We  define  a  compromise  state  as  fellows:  v  *  (b,M,f)  e  V  is  a 
compromise  state  (compromise)  if  there  is  an  ordered  pair  (S,0)e  b 
such  that 

(i)  fx(S)  <  f2(0)  or 

(ii)  f3(S)  ;£  f4(0). 

In  other  words,  v  is  a  compromise  if  the  current  allocation  of 

objects  to  subjects  (b)  includes  an  assignment  ((S,0))  with  at 
least  one  of  two  undesirable  characteristics: 

(l(iii) (iv) v)  S's  clearance  is  lower  chan  0's  classification; 
(ii*)  S  does  not  have  some  need-to-know  category  that 
is  assigned  to  0. 

In  order  to  make  later  discussions  and  arguments  a  little  more 
succinct,  we  shall  define  a  security  condition.  (S,0)  e  S  *  0 
satisfies  the  security  condit4.  ~>n  relative  to  f  (SC  rel  f)  if 

(iii)  fx(S)  >  f2(0)  and 

(iv)  f3(S)  ?f4(0). 

A  state  v  *  (b,M,f)  e  V  is  a  secure  state  if  each  (S,0)  e  b 
satisfies  SC  rel  f.  The  definitions  of  secure  states  and  compromise 
states  indicate  the  validity  of  the  following  improved  proposition. 
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Proposition:  v  e  V  is  not  a  secure  state  iff  v  is  a  compromise. 

A  state  sequence  z  e  Z  has  a  compromise  if  2^  is  a  compromise 
for  some  t  e  T.  2  is  a  secure  state  sequence  if  z is  a  secure 
state  for  each  t  e  T.  We  shall  call  (x,y,2)  e  I(R,D,W,zq)  an 
appearance  of  the  system.  (x,y,2)  e  Z(R,D,W,Z(;)  is  a  secure  appear¬ 
ance  if  z  is  a  secure  state  sequence.  The  appearance  (x,y,z‘) 
has  a  compromise  if  z  has  a  compromise. 

£(R,D,Wtz0)  is  a  secure  system  if  evv»y  appearance  of  I(R,D,W,zo) 
is  secure.  E(R,D,W,zo)  has  a  compromise  if  any  appearance  of 
£(R,D,W,zq)  has  a  compromise. 

Proposition :  2  e  Z  is  not  secure  iff  2  has  a  compromise. 

Proposition:  £(R,D,W,zo)  is  not  secure  iff  Z(R,D,W,z0)  has  a 
compromise. 


ASSUMPTIONS 

We  make  assumptions,  as  shown  in  Table  III,  which  reflect  a  subset 
of  requirements  (or  lack  of  requirements)  to  be  imposed  on  the  system. 
In  Section  XV  we  shall  change  some  of  these  assumptions  and  observe 
the  effect  on  the  system. 

Table  III 

Initial  Requirements 

!  REQUIREMENTS  I 


RAISE? 

LOWER? 

SUBJECT  CLEARANCE 

NO 

NO 

OBJECT  CLASSIFICATION 

NO 

NO 

INCREASE? 

DECREASE? 

SUBJECT  NEEDS-TO-XNOW 

NO 

NO 

OBJECT  NEEDS-TO-KNOW 

NO 

NC 
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Tab l*  III,  in  effect,  says  that  "no"  is  the  answer  to  each  of 
the  questions 

f 

raise 

"Is  there  a  requirement  to  •  *ower  ,  a 

Increase 

decrease, 

| subject's 
|  object's 

BASIC  SECURITY  THEOREM 

Basic  Security  Theorem:  Let  WCRxDxVxV  be  any  relation 
such  that  (R^,U^ , (b-,M*,f*) , (b,M,f)  £  W  implies 

(i)  f  *  f*  and 

(*i)  every  (S,0)  e  b*  -  b  satisfies  SC  rel  f*. 

£(R,D,W,z  )  is  a  secure  system  for  any  secure  state  z  . 

Proof :  Let  zq  *  (b,M,f)  be  secure.  Pick  (x,y,z)  e  z(R,D,W,z  ) 
and  write  zfc  -  (b^  ,M^  ,f  for  each  t  e  T. 

is  a  secure  state.  (x^,y^,z^,z  )  e  W.  Thus  by  (i),  f^  *  f. 
By  (ii),  every  (S,0)  in  b^  -  b  satisfies  SC  rel  f^K  Since 
z  is  secure,  every  (S,0)  e  b  satisfies  SC  rel  f.  Since  f  *  f^, 
every  <S,0)  e  b^  satisfies  SC  rel  f^.  That  is,  z ^  is  secure. 

If  z^_^  is  secure,  z^  is  secure.  e  *** 


classification/clearance  ) 

! 

needs- to-know 


21 


Thu*  by  (i),  f(t)  -  f(t_1\  By  (ii),  every  (S,0)  in  b(t*  -  b(t-1) 
satisfies  SC  rel  f^ .  Since  .  is  secure,  every  (S,0)  e  b^  ^ 
satisfies  SC  rel  f^t”*/.  Since  f^'  «  every  (S,0)  e  b^ 

satisfies  SC  rel  f^\  That  is,  z£  is  secure.  By  induction,  z 
is  secure  so  that  {x.y ,z)  is  a  secure  appearance.  (x,y,z)  being 
arbitrary,  Z(R,D,W,zo)  is  secure. 

SUMMARY 

In  this  chapter  ve  have  applied  the  matemat-Lcal  model  of  Section  II 
to  the  modeling  of  a  secure  computer  system.  We  have  defined  a  secure 
system  precisely,  through  the  definitions  of  security  and  compromise, 
and  have  given  a  rule  of  operation,  W,  which  we  have  shown  guaran¬ 
tees  that  the  system  is  secure  in  its  operation. 
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SECTION  IV 
CONCLUSION 


INTRODUCTION 

We  attempted  to  provide  In  Section  I  a  motivation  and  basis  for 
the  remainder  of  this  paper.  We  pointed  out  three  desirable  properties 
of  a  model  —  generality,  predictive  ability,  and  appropriateness  — 
and  these  were  illustrated  by  example.  Also,  ve  discussed  the  general 
principle  that  the  specificity  of  prediction  is  roughly  proportional 
to  the  amount  and  level  of  detail  of  information  available  about  the 
system  being  modeled;  this  was  illustrated  by  the  discussion  of  the 
spring-mass  system. 

Subsequently,  v;e  developed  a  mathematical  model  of  general 
applicability  to  the  study  of  secure  computer  systems,  abstracting 
the  elements  of  the  model  from  our  own  and  others’  notions  of  what 
the  real  system  may  be  like. 

We  then  applied  the  model,  under  a  given  set  of  assumptions ,  to 
the  question  of  security  (compromise).  We  gave  a  rule  by  which,  for 
the  assumptions  given,  the  system  would  remain  secure  in  its  operation; 
we  also  gave  a  proof  of  the  last  assertion. 

Notice  this  important  point:  our  proof  did  not  depend  on  the 
choice  of  elements  for  the  set  A  (access  attributes).  This  means 
that  any  set  is  acceptable  and  any  access  matrix  is  acceptable. 

Stated  differently,  we  have  shown  that  under  the  given  assumptions 
security  of  the  system  is  independent  of  the  access  matrix  and  the 
rules  (if  any)  by  which  the  access  matrix  is  changed. 
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Thus,  we  have  modeled  the  system  in  such  generality  that  ve  are 
not  in  a  position  to  investigate  its  viability.  For,  clearly,  one 
may  arbitrarily  choose  rules  of  access  matrix  control  while  retaining 
the  property  cf  security.  Therefore,  one  may  choose  the  rules  in 
such  a  way  as  to  prevent  users  from  ever  acquiring  access  to  infor- 
nation;  the  severe  danger  is  that  a  set  of  rules  might  he  chosen  which 
has  an  intuitive  sense  of  correctness  but  which  may  lead  the  system 
into  undesirable  states. 

t.'e  shall  address  ourselves  in  this  section  to  some  of  the  specific 
questions  to  be  considered  if  a  viable  system  is  to  be  c eveloped  from 
our  model. 

PROBLEM  REFORMULATION 

One  may  change  the  system  problem  to  be  attacked  in  a  variety  of 
ways.  In  general  one  states  a  set  of  requirements  and  a  set  of 
criteria  to  be  met.  The  requirements  and  criteria  may  be  very  general 
or  ver.  specific:  the  more  specific  these  are,  the  more  specific  can 
be  the  behavior  predicted  by  modeling  and  the  greater  the  probability 
that  a  viable  system  will  result  from  the  design  into  which  the  model 
is  transformed. 

In  our  situation  we  can  immediately  recognize  two  areas  of  pro- 
blem  reformulation.  First,  one  may  change  the  requirements  of  the 
type  we  assumed  in  Section  III.  We  shall,  in  fact,  do  so  anti  derive 
a  result  from  the  changed  assumptions.  Second,  one  may  impose 
criteria  to  be  met  by  the  access  control  mechanisms  of  the  system. 

We  shall  Investigate  this  briefly  in  the  next  two  sections. 
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We  change  the  assumptions  we  made  in  Section  III,  as  shown  in 


Table  IV. 


Table  IV 

Modified  Requirements 


REQUIREMENTS 

RAISE? 

LOWER? 

SUBJECT  CLEARANCE 

YES 

NO 

OBJECT  CLASSIFICATION 

NO 

YES 

INCREASE? 

DECREASE? 

SUBJECT  NEEDS-TO-KNOW 

YES 

NO 

OBJECT  NEEDS-TO-KNOW 

NO 

YES 

Basic  Security  Theorem  (revised) : 

Let  WQrxDxVxV  be  any  relation  such  that 

(Ri»D^»(b*»M*,f*),(b,M,f)>  e  W  implies 

(i)  f*^(S)  >  f^(S)  for  each  S  e  S, 

^*2^°)  5  f 2 ^  f°r  each  0  e 

f  ^(S)  -  for  each  S  e  S, 

f  ^(O)  C  f^(0)  for  each  0  e  0,  and 
(ii)  every  (S,0)  e  b  -  b  satisfies  SC  rel  f*. 

Thee  E(R,D,W,z0)  is  a  secure  system  for  any  secure  state  zq. 
Proof:  Let  zq  =*  (b,M,f)  be  secure. 

Tick  (x,y,z)  e  E(R,D,W,z  )  and  write  z£  «  (b^,M^ 
for  eact  t  e  T. 


is  a  secure  state,  (x, ,y, ,z. ,z0)  e  W. 


mm  ii  mi  n  ii'-t-  - - T" . 


By  (ii),  every  (S,Q)  in  b^^  “  b  satisfies 
SC  rel  Since  z  is  secure,  every  (S,0)  in  b 

satisfies  SC  rel  f;  that  is,  f^S)  >  f2(0)  and 
f3(S)  5f^(0)  .  By  (i),  we  have,  for  each 
(S,0)  in  b(1)  -  (b(1)  -  b), 
f<l}  (S)  >fx(S)  >f2(0)  >f(»(0)  and 
f(^(S)  D  f3(S)  D  f4(0)  D  f4(0),  so  that 
each  (S,0)  in  b^  satisfies  SC  rel  f^\ 

That  is,  Zj,  is  secure. 

If  z.  .  is  secure,  then  z.  is  secure. 

- 1-1 - -  T.l - t - 

(xt.yt»2t»*t^l>G  W*  By  (ii),  every  (S,0)  in 

b^  -  b^  ^  satisfies  ^.C  rel  f^.  Since 

zfc_3  is  secure,  every  (S,0)  in  b^C  ^ 

satisfies  SC  rel  f^fc  that  is, 

f^^S)  ^  ^“^(O)  and  ^“^(S)  2  f^1J<0) 

By  (i),  we  have  for  each  (S,0)  in  b^  -  (b^  ~  b^C  *^), 

f^S)  >  f(t"X)(S)  l  f^^O)  £  f(^(0)  and 

f(5J(S)  Df^^S)  2  f  (t’41)  (0)  2  (0),  so  that 

each  (S,0)  in  satisfies  SC  rel  f^.  That 

is,  z„  is  secure, 
t 

By  induction,  z  is  secure  sc-  that  (x,y,z) 
is  a  secure  appearance.  (x,y,z)  being  arbitrary, 
£(R,D,W,zo)  is  secure. 
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The  revised  theorem  just  proved  indicates  that  dynamic 

(i)  raising  of  subject  clearance; 

(ii)  lowering  of  object  classification; 

(iii)  increasing  of  subject  n.;eds-to-know;  and 

(iv)  decreasing  of  object  ne  ?id8-to~know 

can  be  provided  in  the  system  witnout  security  compromise.  Again,, 
however,  the  proof  is  independent  of  what  is  happening  in  the  access 
matrix,  the  subject  of  the  next  section. 

We  note  here  that  our  investigations  into  the  security  of  a  system 
in  the  cases  that  a  subject's  clearance  may  be  lowered  dynamically, 
an  object's  classification  may  be  increased  dynamically,  and  similar 
changes  in  needs-to-know  are  as  yet  undocumented.  Those  investigations 
lead  us  to  believe  that  severe  questions  of  the  viability  of  the 
resulting  system  are  raised  by  the  options  listed  above. 

ACCESS  CONTROL 

In  a  real  sense,  the  relation  W  we  have  specified  provides  a 
rule  of  access  control  which  governs  security  as  we  have  defined  it. 

We  have  also  provided  in  the  model  for  access  control  to  govern 
protection,  privilege,  and  mode  of  use  through  the  access  matrix  we 
have  defined. 

Two  problems  are  immediately  evident.  First,  unless  the  system 
guarantees  the  inviolability  of  rule  W  our  security  theorem  does 
net  apply.  Second,  unless  ws  deal  with  soma  specific  criteria  and 
rules  relating  to  the  access  matrix,  we  can  say  little  if  anything 
concerning  viability  of  the  system;  again,  if  access  matrix  controls 
are  provided,  the  system  must  be  structured  so  as  to  guarantee  their 
inviolability  else  our  modeling  will  not  apply. 
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Let  us  consider  a  situation  in  which  the  Interaction  of 
security  control  and  access  control  can  cause  a  compromise.  Specif¬ 
ically,  if  a  subject  S^.  is  allowed  "append"  access  to  an  object 
0^,  a  file  or  segment,  then  guaranteeing  inviolability  of 
rule  W  means  the  system  must  prevent  from  appending  information 

of  a  classification  higher  than  that  of  0^:  otherwise  we  risk  having 
(Si,0k)  in  b,  where  has  "read"  access  to  0^,  while 

fj(S^)  <  resulting  in  compromise.  This  example  shows  that 

inadequate  access  controls  (over  the  ‘‘append"  access  of  to  0^) 

can  cause  a  violation  of  W  (by  raising  ^^k^'  contrary  to  our 
assumption  up  to  this  point) ,  resulting  in  a  compromise  state. 

DATA  BASE  SHARING 

We  have  assumed  a  shared  data  base  for  the  multi-user  system  but 
have  stated  no  requirements  nor  criteria  for  "correct"  sharing. 

The  concluding  remark  of  the  preceding  section  suggests  that  we 
must  do  so.  At  least,  we  must  specifically  prevent  the  situation 
we  discussed;  alternatively,  one  might  choose  to  change  our  definition 
of  compromise.  Unfortunately,  a  change  in  the  definition  of  compromise 
in  this  situation  would  be  in  the  direction  of  weakening  rule  W  with 
the  result  that  the  model  will  reflect  the  real  problem  less  accurately 
than  we  have  succeeded  in  doing  thus  far. 

In  addition,  one  may  impose  additional  criteria  relating  to 
sharing  of  the  data  base,  such  as  prevention  of  deadlock,  preserva¬ 
tion  of  integrity  of  the  information,  and  prevention  of  permanent 
blocking — such  criteria  have  to  do  with  reliability  of  the  system 
and  therefore  relate  to  its  usefulness. 
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SUMMARY  AND  REFERENCES 

In  this  chapter  we  have  discussed  the  generalities  of  changing 
the  definition  of  the  problem  to  be  solved.  We  showed  an  example 
by  stating  and  proving  the  security  theorem  for  a  new  set  of  assump- 
tions  relating  to  changes  in  classifications  and  needs- to-know. 

We  pointed  out  briefly  that  the  system  which  one  might  develop 
from  our  model  would  have  to  guarantee  inviolability  of  the  rule  of 
operation  W.  Techniques  have  been  documented  which  use  hardware, 
software,  or  combinations  of  these  for  protection  of  privileged 
algorithms;  references  [1,2,3,4,5,6,8,9,10]  are  relevant. 

We  discussed  briefly  the  question  of  a  shared  data  base.  For  a 
discussion  of  problems  and  a  solution  see  [7]. 

In  summary,  we  have  attempted  to  show  in  this  section  that  the 
model  can  be  used  to  answer  questions  posed  with  a  given  set  of 
requirements  and  criteria  and  to  indicate  that  a  central  problem  in 
the  design  of  a  secure  system  will  be  to  certify  that  the  access 
controls  are  inviolable. 
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